Compare commits

..

13 Commits

Author SHA1 Message Date
unkinben 2254a39d77 feat: add artifact-keeper
- converted the artifact-keeper helm-chart into kustomization manifests
- converted postgres to cnpg
- moved secrets to vault
2026-04-19 18:43:56 +10:00
unkinben 7d555cd31a feat: migrate purelb to ArgoCD (#84)
Migrate PureLB load balancer from Terragrunt to ArgoCD/Kustomize.
Deploys purelb v0.13.0 with two LBNodeAgent and two ServiceGroup CRs
(common: 198.18.200.0/24, dmz: 198.18.199.0/24).
Adds LBNodeAgent and ServiceGroup to kubeconform skip list (no CRD catalog schema).

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #84
2026-04-07 19:52:17 +10:00
unkinben f0bdc0231a feat: migrate vso-system to ArgoCD (#81)
Migrate Vault Secrets Operator from Terragrunt to ArgoCD/Kustomize.
Deploys vault-secrets-operator v1.2.0 with 3 replicas, plus ClusterRole,
ClusterRoleBindings, and vault-admin ServiceAccount.

Note: static service account tokens (kubernetes.io/service-account-token)
cannot be stored in git; create manually or via Vault after deployment.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #81
2026-04-07 19:33:50 +10:00
unkinben b100f3034e feat: migrate observability to ArgoCD (#82)
Migrate Victoria Metrics cluster and agent from Terragrunt to ArgoCD/Kustomize.
Creates new observability AppProject and ApplicationSet.
Deploys victoria-metrics-cluster v0.33.0 (vmselect/vminsert/vmstorage with
HPA, PDB, ingress) and victoria-metrics-agent v0.30.0 (3 replicas, k8s scrape
configs) in the observability namespace.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #82
2026-04-07 19:15:45 +10:00
unkinben c3a145acbf feat: remove jfrog container registry (#83)
its not used and never really installed correctly. going to change to
artifact-keeper which promises to have the same capabilities and is open
source.

Reviewed-on: #83
2026-04-07 19:03:32 +10:00
unkinben 181bc152e7 feat: migrate vm-system to ArgoCD (#80)
Migrate Victoria Metrics operator from Terragrunt to ArgoCD/Kustomize.
Deploys victoria-metrics-operator v0.57.1 with 2 replicas in vm-system.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #80
2026-03-27 17:04:15 +11:00
unkinben 5bcbd7e1ba feat: migrate elastic-system to ArgoCD (#79)
Migrate ECK operator from Terragrunt to ArgoCD/Kustomize.
Deploys eck-operator v3.2.0 with 2 replicas and PodDisruptionBudget
in the elastic-system namespace.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #79
2026-03-27 17:00:05 +11:00
unkinben 02195e6235 feat: migrate reposync to ArgoCD (#78)
Migrate repository sync cronjobs from Terragrunt to ArgoCD/Kustomize.
Adds four daily CronJobs (almalinux9-baseos, almalinux9-appstream, epel9,
openvox7) with associated PVCs and ConfigMaps in the reposync namespace.

💘 Generated with Crush

Assisted-by: Claude Sonnet 4.6 via Crush <crush@charm.land>

Reviewed-on: #78
2026-03-27 16:26:35 +11:00
unkinben 95c9302aa8 feat: enable downloading tea (#77)
- enable downloading the tea prebuilt binaries

Reviewed-on: #77
2026-03-26 14:02:15 +11:00
unkinben e269220228 fix: clone r10k config to /tmp/r10k-config instead of /shared (#76)
The g10k-code cronjob was failing with "Permission denied" because the
container (running as uid 999, non-root) attempted to create /shared in
the container root filesystem, which is not writable. Clone to /tmp
which is always writable by unprivileged users.

Reviewed-on: #76
2026-03-24 19:25:06 +11:00
unkinben 1388875685 fix: remove shared-config PVC from g10k cronjob, clone r10k config directly (#75)
The RWO puppetserver-shared-config PVC caused multi-attach errors when
the cronjob pod was scheduled on a different node than the previous run,
stalling the init container indefinitely. Since the config only needs to
exist for the duration of the job, remove the init container and PVC
entirely and clone the r10k config directly into /shared within the main
container before running g10k.

Reviewed-on: #75
2026-03-24 18:54:58 +11:00
unkinben 49224d4a1b fix: increase generate-types memory limit and remove invalid JVM env var (#74)
The container was OOMKilled on every run because the 256Mi limit was far
too low for `puppet generate types`. Remove PUPPETSERVER_JAVA_ARGS (only
relevant to the puppetserver JVM, not the puppet CLI) and raise the
memory limit to 1Gi / request 512Mi.

Reviewed-on: #74
2026-03-24 18:51:46 +11:00
unkinben 28dc8dc238 feat: update gems for puppet (#73)
- add deep_merge, ipaddr, and hiera-eyaml gems
- pin intel-device-plugins to 0.35.0

Reviewed-on: #73
2026-03-24 18:33:03 +11:00
75 changed files with 2681 additions and 156 deletions
@@ -0,0 +1,94 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: artifact-keeper-postgres
namespace: artifact-keeper
spec:
affinity:
podAntiAffinityType: preferred
bootstrap:
initdb:
database: artifact_registry
encoding: UTF8
localeCType: C
localeCollate: C
owner: registry
secret:
name: postgres-credentials
postInitSQL:
- CREATE DATABASE dependency_track OWNER registry;
- GRANT ALL PRIVILEGES ON DATABASE dependency_track TO registry;
enablePDB: true
enableSuperuserAccess: false
failoverDelay: 0
imageName: ghcr.io/cloudnative-pg/postgresql:17-minimal-trixie
instances: 3
logLevel: info
maxSyncReplicas: 0
minSyncReplicas: 0
monitoring:
customQueriesConfigMap:
- key: queries
name: cnpg-default-monitoring
disableDefaultQueries: false
enablePodMonitor: false
postgresql:
parameters:
archive_mode: "on"
archive_timeout: 5min
dynamic_shared_memory_type: posix
effective_cache_size: 256MB
full_page_writes: "on"
log_destination: csvlog
log_directory: /controller/log
log_filename: postgres
log_rotation_age: "0"
log_rotation_size: "0"
log_truncate_on_rotation: "false"
logging_collector: "on"
max_connections: "200"
max_parallel_workers: "16"
max_replication_slots: "16"
max_worker_processes: "16"
shared_buffers: 128MB
shared_memory_type: mmap
ssl_max_protocol_version: TLSv1.3
ssl_min_protocol_version: TLSv1.3
wal_keep_size: 256MB
wal_level: logical
wal_log_hints: "on"
wal_receiver_timeout: 5s
wal_sender_timeout: 5s
syncReplicaElectionConstraint:
enabled: false
primaryUpdateMethod: restart
primaryUpdateStrategy: unsupervised
probes:
liveness:
isolationCheck:
connectionTimeout: 1000
enabled: true
requestTimeout: 1000
replicationSlots:
highAvailability:
enabled: true
slotPrefix: _cnpg_
synchronizeReplicas:
enabled: true
updateInterval: 30
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
smartShutdownTimeout: 180
startDelay: 3600
stopDelay: 1800
storage:
resizeInUseVolumes: true
size: 20Gi
storageClass: cephrbd-fast-delete
switchoverDelay: 3600
@@ -0,0 +1,33 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
name: artifact-keeper-postgres-pooler
namespace: artifact-keeper
spec:
cluster:
name: artifact-keeper-postgres
instances: 2
pgbouncer:
parameters:
default_pool_size: "100"
max_client_conn: "400"
paused: false
poolMode: session
template:
metadata:
labels:
app: artifact-keeper-pooler
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- artifact-keeper-pooler
topologyKey: kubernetes.io/hostname
containers: []
type: rw
@@ -0,0 +1,20 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: config
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
data:
BIND_ADDRESS: "0.0.0.0:8080"
LOG_LEVEL: "info,artifact_keeper=debug"
STORAGE_BACKEND: "s3"
MEILISEARCH_URL: "http://meilisearch:7700"
TRIVY_URL: "http://trivy:8090"
DEPENDENCY_TRACK_URL: "http://dtrack:8080"
DEPENDENCY_TRACK_ENABLED: "true"
SCAN_WORKSPACE_PATH: "/scan-workspace"
PLUGINS_DIR: "/data/plugins"
@@ -0,0 +1,15 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: s3-env
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
data:
S3_ENDPOINT: "https://radosgw.service.consul"
S3_BUCKET: "artifact-keeper"
S3_REGION: "ap-southeast-2"
S3_PATH_STYLE: "true"
@@ -0,0 +1,171 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: backend
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: backend
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: backend
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: backend
spec:
serviceAccountName: backend
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- backend
topologyKey: kubernetes.io/hostname
initContainers:
- name: wait-for-postgres
image: postgres:16-alpine
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 100m
memory: 64Mi
command: ["/bin/sh", "-c"]
args:
- |
echo "Waiting for PostgreSQL..."
until pg_isready -h artifact-keeper-postgres-pooler -p 5432 -U registry; do
sleep 3
done
echo "PostgreSQL is ready"
- name: wait-for-meilisearch
image: alpine:3.20
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 16Mi
ephemeral-storage: 32Mi
limits:
cpu: 100m
memory: 64Mi
ephemeral-storage: 64Mi
command: ["/bin/sh", "-c"]
args:
- |
echo "Waiting for Meilisearch..."
until wget -qO- http://meilisearch:7700/health >/dev/null 2>&1; do
sleep 3
done
echo "Meilisearch is ready"
containers:
- name: backend
image: "ghcr.io/artifact-keeper/artifact-keeper-backend:dev"
imagePullPolicy: Always
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["/bin/sh", "-c"]
args:
- |
if [ -f /shared/dtrack-api-key ] && [ -s /shared/dtrack-api-key ]; then
export DEPENDENCY_TRACK_API_KEY="$(cat /shared/dtrack-api-key)"
fi
exec /usr/local/bin/artifact-keeper
ports:
- name: http
containerPort: 8080
protocol: TCP
- name: grpc
containerPort: 9090
protocol: TCP
envFrom:
- configMapRef:
name: config
- configMapRef:
name: s3-env
- secretRef:
name: s3-credentials
- secretRef:
name: app-secrets
resources:
limits:
cpu: "2"
memory: 2Gi
requests:
cpu: 250m
memory: 256Mi
livenessProbe:
httpGet:
path: /livez
port: http
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 5
volumeMounts:
- name: tmp
mountPath: /tmp
- name: storage
mountPath: /data/storage
subPath: storage
- name: storage
mountPath: /data/backups
subPath: backups
- name: storage
mountPath: /data/plugins
subPath: plugins
- name: scan-workspace
mountPath: /scan-workspace
- name: shared-config
mountPath: /shared
readOnly: true
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: storage
persistentVolumeClaim:
claimName: storage
- name: scan-workspace
persistentVolumeClaim:
claimName: scan-workspace
- name: shared-config
persistentVolumeClaim:
claimName: shared-config
@@ -0,0 +1,111 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dtrack
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: dependency-track
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: dependency-track
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: dependency-track
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
initContainers:
- name: wait-for-postgres
image: postgres:16-alpine
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 100m
memory: 64Mi
command: ["/bin/sh", "-c"]
args:
- |
echo "Waiting for PostgreSQL..."
until pg_isready -h artifact-keeper-postgres-pooler -p 5432 -U registry; do
sleep 3
done
echo "PostgreSQL is ready"
containers:
- name: dtrack-api
image: "dependencytrack/apiserver:4.11.4"
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- name: http
containerPort: 8080
protocol: TCP
env:
- name: ALPINE_DATABASE_MODE
value: "external"
- name: ALPINE_DATABASE_URL
value: "jdbc:postgresql://artifact-keeper-postgres-pooler:5432/dependency_track"
- name: ALPINE_DATABASE_DRIVER
value: "org.postgresql.Driver"
- name: ALPINE_DATABASE_USERNAME
value: "registry"
- name: ALPINE_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
key: password
- name: ALPINE_DATA_DIRECTORY
value: "/data"
- name: ALPINE_ENFORCE_AUTHENTICATION
value: "true"
- name: ALPINE_CORS_ENABLED
value: "true"
- name: ALPINE_CORS_ALLOW_ORIGIN
value: "*"
- name: JAVA_OPTIONS
value: "-Xmx4g"
resources:
limits:
cpu: "2"
memory: 6Gi
requests:
cpu: 250m
memory: 4Gi
volumeMounts:
- name: dtrack-data
mountPath: /data
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: dtrack-data
persistentVolumeClaim:
claimName: dtrack
@@ -0,0 +1,154 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: meilisearch
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: meilisearch
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: meilisearch
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: meilisearch
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
initContainers:
- name: fix-ownership
image: busybox:1.37
securityContext:
runAsNonRoot: false
runAsUser: 0
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
add:
- CHOWN
- FOWNER
resources:
requests:
cpu: 10m
memory: 16Mi
ephemeral-storage: 32Mi
limits:
cpu: 100m
memory: 64Mi
ephemeral-storage: 64Mi
command: ["sh", "-c", "chown -R 1000:1000 /meili_data"]
volumeMounts:
- name: meilisearch-data
mountPath: /meili_data
- name: version-guard
image: busybox:1.37
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 16Mi
limits:
cpu: 100m
memory: 64Mi
command: ["sh", "-c"]
args:
- |
EXPECTED="v1.12"
VERSION_FILE="/meili_data/data.ms/VERSION"
if [ ! -f "$VERSION_FILE" ]; then
echo "No existing database, fresh start"
exit 0
fi
CURRENT=$(cat "$VERSION_FILE" 2>/dev/null || echo "unknown")
echo "Current DB version: $CURRENT, expected image: $EXPECTED"
if echo "$CURRENT" | grep -qv "$(echo $EXPECTED | sed 's/^v//')"; then
echo "Version mismatch — wiping data.ms for clean re-index"
rm -rf /meili_data/data.ms
echo "Done. Backend will re-index automatically."
else
echo "Versions match, keeping existing data"
fi
volumeMounts:
- name: meilisearch-data
mountPath: /meili_data
containers:
- name: meilisearch
image: "getmeili/meilisearch:v1.12"
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- name: http
containerPort: 7700
protocol: TCP
env:
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: app-secrets
key: MEILISEARCH_API_KEY
- name: MEILI_ENV
value: "production"
- name: MEILI_MAX_INDEXING_THREADS
value: "4"
resources:
limits:
cpu: "1"
memory: 8Gi
requests:
cpu: 250m
memory: 512Mi
readinessProbe:
httpGet:
path: /health
port: 7700
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
livenessProbe:
httpGet:
path: /health
port: 7700
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
volumeMounts:
- name: meilisearch-data
mountPath: /meili_data
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: meilisearch-data
persistentVolumeClaim:
claimName: meilisearch
@@ -0,0 +1,87 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: trivy
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: trivy
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: trivy
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: trivy
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 10000
fsGroup: 10000
containers:
- name: trivy
image: "aquasec/trivy:0.62.1"
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
command: ["trivy"]
args: ["server", "--listen", "0.0.0.0:8090", "--cache-dir", "/home/trivy/.cache"]
ports:
- name: http
containerPort: 8090
protocol: TCP
resources:
limits:
cpu: "1"
memory: 2Gi
requests:
cpu: 250m
memory: 256Mi
readinessProbe:
tcpSocket:
port: 8090
initialDelaySeconds: 15
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
livenessProbe:
tcpSocket:
port: 8090
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
volumeMounts:
- name: trivy-cache
mountPath: /home/trivy/.cache
- name: tmp
mountPath: /tmp
- name: scan-workspace
mountPath: /scan-workspace
readOnly: true
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: trivy-cache
persistentVolumeClaim:
claimName: trivy-cache
- name: scan-workspace
persistentVolumeClaim:
claimName: scan-workspace
@@ -0,0 +1,98 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: web
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: web
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: web
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: web
spec:
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- web
topologyKey: kubernetes.io/hostname
containers:
- name: web
image: "ghcr.io/artifact-keeper/artifact-keeper-web:dev"
imagePullPolicy: Always
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
ports:
- name: http
containerPort: 3000
protocol: TCP
env:
- name: NEXT_PUBLIC_API_URL
value: ""
- name: BACKEND_URL
value: "http://backend:8080"
- name: NODE_ENV
value: "production"
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 250m
memory: 256Mi
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 5
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 20
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 5
volumeMounts:
- name: tmp
mountPath: /tmp
- name: nextjs-cache
mountPath: /app/.next/cache
volumes:
- name: tmp
emptyDir:
sizeLimit: 256Mi
- name: nextjs-cache
emptyDir:
sizeLimit: 1Gi
+286
View File
@@ -0,0 +1,286 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: artifact-keeper
namespace: artifact-keeper
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 10g
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: artifacts.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: artifacts.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
ingressClassName: nginx
rules:
- host: artifacts.k8s.syd1.au.unkin.net
http:
paths:
- path: /api
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /health
pathType: Exact
backend:
service:
name: backend
port:
number: 8080
- path: /ready
pathType: Exact
backend:
service:
name: backend
port:
number: 8080
- path: /v2
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /maven
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /npm
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /pypi
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /nuget
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /cargo
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /gems
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /go
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /helm
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /debian
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /rpm
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /alpine
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /composer
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /conan
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /conda
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /swift
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /terraform
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /cocoapods
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /hex
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /pub
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /lfs
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /ivy
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /chef
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /puppet
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /ansible
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /cran
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /huggingface
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /jetbrains
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /vscode
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /proto
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /incus
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /ext
pathType: Prefix
backend:
service:
name: backend
port:
number: 8080
- path: /dtrack
pathType: Prefix
backend:
service:
name: dtrack
port:
number: 8080
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 3000
tls:
- hosts:
- artifacts.k8s.syd1.au.unkin.net
secretName: artifacts-tls
@@ -0,0 +1,70 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: dtrack-init
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: dependency-track
spec:
backoffLimit: 3
template:
metadata:
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: dependency-track
spec:
restartPolicy: OnFailure
automountServiceAccountToken: false
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
containers:
- name: dtrack-init
image: alpine:3.20
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
resources:
requests:
cpu: 10m
memory: 32Mi
ephemeral-storage: 64Mi
limits:
cpu: 200m
memory: 128Mi
ephemeral-storage: 128Mi
command: ["/bin/sh", "-c"]
args:
- |
apk add --no-cache curl jq >/dev/null 2>&1
/bin/sh /scripts/init-dtrack.sh
env:
- name: DEPENDENCY_TRACK_URL
value: "http://dtrack:8080"
- name: DEPENDENCY_TRACK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: app-secrets
key: DEPENDENCY_TRACK_ADMIN_PASSWORD
volumeMounts:
- name: init-script
mountPath: /scripts
readOnly: true
- name: shared-config
mountPath: /shared
volumes:
- name: init-script
configMap:
name: dtrack-init
defaultMode: 0755
- name: shared-config
persistentVolumeClaim:
claimName: shared-config
@@ -0,0 +1,33 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- serviceaccount_backend.yaml
- cnpg_cluster.yaml
- cnpg_pooler.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- configmap_app-config.yaml
- configmap_s3-env.yaml
- persistentvolumeclaims.yaml
- service_backend.yaml
- service_dtrack.yaml
- service_meilisearch.yaml
- service_trivy.yaml
- service_web.yaml
- deployment_backend.yaml
- deployment_dtrack.yaml
- deployment_meilisearch.yaml
- deployment_trivy.yaml
- deployment_web.yaml
- job_dtrack-init.yaml
- ingress.yaml
configMapGenerator:
- name: dtrack-init
files:
- resources/init-dtrack.sh
options:
disableNameSuffixHash: true
+7
View File
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
@@ -0,0 +1,78 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: storage
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteMany
storageClassName: cephfs-raid5-delete
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: scan-workspace
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteMany
storageClassName: cephfs-raid5-delete
resources:
requests:
storage: 2Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: shared-config
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteMany
storageClassName: cephfs-raid5-delete
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: dtrack
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteOnce
storageClassName: cephrbd-fast-delete
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: meilisearch
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteOnce
storageClassName: cephrbd-fast-delete
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: trivy-cache
namespace: artifact-keeper
spec:
accessModes:
- ReadWriteOnce
storageClassName: cephrbd-fast-delete
resources:
requests:
storage: 5Gi
+43
View File
@@ -0,0 +1,43 @@
#!/bin/sh
set -e
DT_URL="${DEPENDENCY_TRACK_URL:-http://ak-artifact-keeper-dtrack:8080}"
DT_ADMIN_USER="admin"
DT_DEFAULT_PASS="admin"
DT_NEW_PASS="${DEPENDENCY_TRACK_ADMIN_PASSWORD}"
API_KEY_FILE="/shared/dtrack-api-key"
echo "[dtrack-init] Waiting for Dependency-Track at $DT_URL ..."
for i in $(seq 1 60); do
if curl -sf "$DT_URL/api/version" > /dev/null 2>&1; then break; fi
if [ "$i" -eq 60 ]; then echo "[dtrack-init] ERROR: timeout"; exit 1; fi
sleep 5
done
if [ -f "$API_KEY_FILE" ] && [ -s "$API_KEY_FILE" ]; then
echo "[dtrack-init] API key already provisioned -- skipping"
exit 0
fi
TOKEN=$(curl -sf -X POST "$DT_URL/api/v1/user/login" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=${DT_ADMIN_USER}&password=${DT_NEW_PASS}" 2>/dev/null || true)
if [ -z "$TOKEN" ] || echo "$TOKEN" | grep -qi "FORCE_PASSWORD_CHANGE"; then
curl -sf -o /dev/null -X POST "$DT_URL/api/v1/user/forceChangePassword" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=${DT_ADMIN_USER}&password=${DT_DEFAULT_PASS}&newPassword=${DT_NEW_PASS}&confirmPassword=${DT_NEW_PASS}"
TOKEN=$(curl -sf -X POST "$DT_URL/api/v1/user/login" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=${DT_ADMIN_USER}&password=${DT_NEW_PASS}" 2>/dev/null || true)
fi
if [ -z "$TOKEN" ]; then echo "[dtrack-init] ERROR: auth failed"; exit 1; fi
API_KEY=$(curl -sf "$DT_URL/api/v1/team" \
-H "Authorization: Bearer $TOKEN" | \
jq -r '.[] | select(.name == "Automation") | .apiKeys[0].key // empty')
if [ -z "$API_KEY" ]; then echo "[dtrack-init] ERROR: no API key"; exit 1; fi
echo "$API_KEY" > "$API_KEY_FILE"
echo "[dtrack-init] Done"
@@ -0,0 +1,26 @@
---
apiVersion: v1
kind: Service
metadata:
name: backend
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: backend
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
protocol: TCP
- name: grpc
port: 9090
targetPort: grpc
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: backend
@@ -0,0 +1,22 @@
---
apiVersion: v1
kind: Service
metadata:
name: dtrack
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: dependency-track
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: dependency-track
@@ -0,0 +1,22 @@
---
apiVersion: v1
kind: Service
metadata:
name: meilisearch
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: meilisearch
spec:
type: ClusterIP
ports:
- name: http
port: 7700
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: meilisearch
@@ -0,0 +1,22 @@
---
apiVersion: v1
kind: Service
metadata:
name: trivy
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: trivy
spec:
type: ClusterIP
ports:
- name: http
port: 8090
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: trivy
@@ -0,0 +1,22 @@
---
apiVersion: v1
kind: Service
metadata:
name: web
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: web
spec:
type: ClusterIP
ports:
- name: http
port: 3000
targetPort: http
protocol: TCP
selector:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/component: web
@@ -0,0 +1,11 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: backend
namespace: artifact-keeper
labels:
app.kubernetes.io/name: artifact-keeper
app.kubernetes.io/instance: ak
app.kubernetes.io/part-of: artifact-keeper
app.kubernetes.io/component: backend
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: default
namespace: artifact-keeper
spec:
allowedNamespaces:
- artifact-keeper
kubernetes:
audiences:
- vault
role: default
serviceAccount: default
tokenExpirationSeconds: 600
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
@@ -0,0 +1,51 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-credentials
namespace: artifact-keeper
spec:
destination:
create: true
name: postgres-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/artifact-keeper/default/postgres-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: app-secrets
namespace: artifact-keeper
spec:
destination:
create: true
name: app-secrets
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/artifact-keeper/default/app-secrets
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: s3-credentials
namespace: artifact-keeper
spec:
destination:
create: true
name: s3-credentials
overwrite: true
hmacSecretData: true
mount: kv
path: kubernetes/namespace/artifact-keeper/default/s3-credentials
refreshAfter: 5m
type: kv-v2
vaultAuthRef: default
@@ -63,6 +63,7 @@ remotes:
description: "Gitea download site" description: "Gitea download site"
include_patterns: include_patterns:
- "act_runner/.*/act_runner-.*-linux-amd64$" - "act_runner/.*/act_runner-.*-linux-amd64$"
- "tea/.*/tea-.*-linux-amd64$"
cache: cache:
file_ttl: 0 file_ttl: 0
index_ttl: 0 index_ttl: 0
+7
View File
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: elastic-system
name: elastic-system
-5
View File
@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: jfrog
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
+7
View File
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: observability
name: observability
+9 -41
View File
@@ -26,38 +26,6 @@ spec:
spec: spec:
hostname: g10k-code hostname: g10k-code
imagePullSecrets: null imagePullSecrets: null
initContainers:
- name: fetch-config
image: alpine/git:latest
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 100m
memory: 128Mi
args:
- |
set -e
echo "Cloning r10k config repository..."
git clone https://git.unkin.net/unkin/puppet-r10k.git /tmp/config
cp /tmp/config/r10k.yaml /shared/r10k.yaml
echo "r10k.yaml fetched successfully"
command:
- /bin/sh
- -c
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /shared
name: shared-config
containers: containers:
- name: g10k-code - name: g10k-code
image: git.unkin.net/unkin/almalinux9-g10k:20260308 image: git.unkin.net/unkin/almalinux9-g10k:20260308
@@ -69,11 +37,16 @@ spec:
limits: limits:
cpu: 200m cpu: 200m
memory: 256Mi memory: 256Mi
args:
- -config
- /shared/r10k.yaml
command: command:
- /usr/bin/g10k - /bin/sh
- -c
args:
- |
set -e
echo "Cloning r10k config repository..."
git clone https://git.unkin.net/unkin/puppet-r10k.git /tmp/r10k-config
echo "Running g10k..."
/usr/bin/g10k -config /tmp/r10k-config/r10k.yaml
envFrom: null envFrom: null
env: [] env: []
securityContext: securityContext:
@@ -87,8 +60,6 @@ spec:
volumeMounts: volumeMounts:
- mountPath: /etc/puppetlabs/code/ - mountPath: /etc/puppetlabs/code/
name: puppet-code-volume name: puppet-code-volume
- mountPath: /shared
name: shared-config
restartPolicy: OnFailure restartPolicy: OnFailure
securityContext: securityContext:
fsGroup: 999 fsGroup: 999
@@ -96,6 +67,3 @@ spec:
- name: puppet-code-volume - name: puppet-code-volume
persistentVolumeClaim: persistentVolumeClaim:
claimName: puppetserver-code-shared claimName: puppetserver-code-shared
- name: shared-config
persistentVolumeClaim:
claimName: puppetserver-shared-config
+3 -5
View File
@@ -41,16 +41,14 @@ spec:
echo "Generating types for $env" echo "Generating types for $env"
puppet generate types --environment "$env" puppet generate types --environment "$env"
done done
env: env: []
- name: PUPPETSERVER_JAVA_ARGS
value: -Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false
resources: resources:
limits: limits:
cpu: 300m cpu: 300m
memory: 256Mi memory: 1Gi
requests: requests:
cpu: 200m cpu: 200m
memory: 128Mi memory: 512Mi
securityContext: securityContext:
runAsUser: 0 runAsUser: 0
runAsNonRoot: false runAsNonRoot: false
@@ -73,24 +73,6 @@ spec:
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: r10k-shared-config
app.kubernetes.io/instance: puppetserver
app.kubernetes.io/name: puppetserver
app.kubernetes.io/version: 8.8.0
name: puppetserver-shared-config
namespace: puppet
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: cephrbd-fast-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata: metadata:
labels: labels:
app.kubernetes.io/component: puppetboard app.kubernetes.io/component: puppetboard
+8
View File
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- lbnodeagents.yaml
- servicegroups.yaml
+28
View File
@@ -0,0 +1,28 @@
---
apiVersion: purelb.io/v1
kind: LBNodeAgent
metadata:
labels:
app.kubernetes.io/component: lbnodeagent
app.kubernetes.io/name: purelb
name: common
namespace: purelb
spec:
local:
extlbint: kube-lb0
localint: default
sendgarp: false
---
apiVersion: purelb.io/v1
kind: LBNodeAgent
metadata:
labels:
app.kubernetes.io/component: lbnodeagent
app.kubernetes.io/name: purelb
name: dmz
namespace: purelb
spec:
local:
extlbint: kube-lb0
localint: default
sendgarp: false
+7
View File
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: purelb
name: purelb
+30
View File
@@ -0,0 +1,30 @@
---
apiVersion: purelb.io/v1
kind: ServiceGroup
metadata:
labels:
app.kubernetes.io/component: servicegroup
app.kubernetes.io/name: purelb
name: common
namespace: purelb
spec:
local:
v4pools:
- aggregation: /32
pool: 198.18.200.0/24
subnet: 198.18.200.0/24
---
apiVersion: purelb.io/v1
kind: ServiceGroup
metadata:
labels:
app.kubernetes.io/component: servicegroup
app.kubernetes.io/name: purelb
name: dmz
namespace: purelb
spec:
local:
v4pools:
- aggregation: /32
pool: 198.18.199.0/24
subnet: 198.18.199.0/24
@@ -0,0 +1,18 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: reposync
app.kubernetes.io/name: reposync
name: dnf-conf
namespace: reposync
data:
dnf.conf: |
[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
skip_if_unavailable=False
max_parallel_downloads=6
@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: reposync-openvox7
app.kubernetes.io/name: reposync
name: openvox7-openvox-repo
namespace: reposync
data:
openvox.repo: |
[openvox]
name=openvox repository
baseurl=https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/openvox/openvox7/el/9/x86_64/
gpgkey=https://artifactapi.k8s.syd1.au.unkin.net/api/v1/remote/openvox/GPG-KEY-openvox.pub
enabled=1
gpgcheck=1
@@ -0,0 +1,72 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: reposync-almalinux9-appstream
app.kubernetes.io/name: reposync
name: reposync-almalinux9-appstream
namespace: reposync
spec:
schedule: "10 2 * * *"
timeZone: "Australia/Sydney"
concurrencyPolicy: Forbid
suspend: false
successfulJobsHistoryLimit: 10
failedJobsHistoryLimit: 5
jobTemplate:
spec:
completions: 1
parallelism: 1
backoffLimit: 3
ttlSecondsAfterFinished: 3600
template:
spec:
restartPolicy: Never
containers:
- name: reposync
image: git.unkin.net/unkin/almalinux9-base:latest
imagePullPolicy: Always
command: ["/bin/bash", "-c"]
args:
- |
set -euo pipefail
echo "Starting AlmaLinux $REPO_TYPE repository sync..."
# Install reposync
dnf install -y dnf-plugins-core
# Sync repository
dnf reposync \
--repoid=$REPO_TYPE \
--destdir=/data \
--download-metadata \
--newest-only \
--delete
echo "AlmaLinux $REPO_TYPE repository sync completed successfully"
env:
- name: REPO_TYPE
value: "appstream"
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 2000m
memory: 4Gi
volumeMounts:
- name: repodata
mountPath: /data
readOnly: false
- name: dnf-conf
mountPath: /etc/dnf/dnf.conf
subPath: dnf.conf
readOnly: true
volumes:
- name: repodata
persistentVolumeClaim:
claimName: reposync-almalinux9-appstream-repodata
- name: dnf-conf
configMap:
name: dnf-conf
@@ -0,0 +1,75 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: reposync-almalinux9-baseos
app.kubernetes.io/name: reposync
name: reposync-almalinux9-baseos
namespace: reposync
spec:
schedule: "0 2 * * *"
timeZone: "Australia/Sydney"
concurrencyPolicy: Forbid
suspend: false
successfulJobsHistoryLimit: 10
failedJobsHistoryLimit: 5
jobTemplate:
spec:
completions: 1
parallelism: 1
backoffLimit: 3
ttlSecondsAfterFinished: 3600
template:
spec:
restartPolicy: Never
containers:
- name: reposync
image: git.unkin.net/unkin/almalinux9-base:latest
imagePullPolicy: Always
command: ["/bin/bash", "-c"]
args:
- |
set -euo pipefail
echo "Starting AlmaLinux $REPO_TYPE repository sync..."
# Install reposync
dnf install -y dnf-plugins-core
# Create repo directory
mkdir -p /data/almalinux/$REPO_TYPE
# Sync repository
dnf reposync \
--repoid=$REPO_TYPE \
--destdir=/data/almalinux/$REPO_TYPE \
--download-metadata \
--newest-only \
--delete
echo "AlmaLinux $REPO_TYPE repository sync completed successfully"
env:
- name: REPO_TYPE
value: "baseos"
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 2000m
memory: 4Gi
volumeMounts:
- name: repodata
mountPath: /data
readOnly: false
- name: dnf-conf
mountPath: /etc/dnf/dnf.conf
subPath: dnf.conf
readOnly: true
volumes:
- name: repodata
persistentVolumeClaim:
claimName: reposync-almalinux9-baseos-repodata
- name: dnf-conf
configMap:
name: dnf-conf
@@ -0,0 +1,72 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: reposync-epel9
app.kubernetes.io/name: reposync
name: reposync-epel9
namespace: reposync
spec:
schedule: "20 2 * * *"
timeZone: "Australia/Sydney"
concurrencyPolicy: Forbid
suspend: false
successfulJobsHistoryLimit: 10
failedJobsHistoryLimit: 5
jobTemplate:
spec:
completions: 1
parallelism: 1
backoffLimit: 3
ttlSecondsAfterFinished: 3600
template:
spec:
restartPolicy: Never
containers:
- name: reposync
image: git.unkin.net/unkin/almalinux9-base:latest
imagePullPolicy: Always
command: ["/bin/bash", "-c"]
args:
- |
set -euo pipefail
echo "Starting AlmaLinux $REPO_TYPE repository sync..."
# Install reposync
dnf install -y dnf-plugins-core
# Sync repository
dnf reposync \
--repoid=$REPO_TYPE \
--destdir=/data \
--download-metadata \
--newest-only \
--delete
echo "AlmaLinux $REPO_TYPE repository sync completed successfully"
env:
- name: REPO_TYPE
value: "epel"
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 2000m
memory: 4Gi
volumeMounts:
- name: repodata
mountPath: /data
readOnly: false
- name: dnf-conf
mountPath: /etc/dnf/dnf.conf
subPath: dnf.conf
readOnly: true
volumes:
- name: repodata
persistentVolumeClaim:
claimName: reposync-epel9-repodata
- name: dnf-conf
configMap:
name: dnf-conf
@@ -0,0 +1,78 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/component: reposync-openvox7
app.kubernetes.io/name: reposync
name: reposync-openvox7
namespace: reposync
spec:
schedule: "30 2 * * *"
timeZone: "Australia/Sydney"
concurrencyPolicy: Forbid
suspend: false
successfulJobsHistoryLimit: 10
failedJobsHistoryLimit: 5
jobTemplate:
spec:
completions: 1
parallelism: 1
backoffLimit: 3
ttlSecondsAfterFinished: 3600
template:
spec:
restartPolicy: Never
containers:
- name: reposync
image: git.unkin.net/unkin/almalinux9-base:latest
imagePullPolicy: Always
command: ["/bin/bash", "-c"]
args:
- |
set -euo pipefail
echo "Starting AlmaLinux $REPO_TYPE repository sync..."
# Install reposync
dnf install -y dnf-plugins-core
# Sync repository
dnf reposync \
--repoid=$REPO_TYPE \
--destdir=/data \
--download-metadata \
--delete
echo "AlmaLinux $REPO_TYPE repository sync completed successfully"
env:
- name: REPO_TYPE
value: "openvox"
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 2000m
memory: 4Gi
volumeMounts:
- name: repodata
mountPath: /data
readOnly: false
- name: dnf-conf
mountPath: /etc/dnf/dnf.conf
subPath: dnf.conf
readOnly: true
- name: openvox-repo
mountPath: /etc/yum.repos.d/openvox.repo
subPath: openvox.repo
readOnly: true
volumes:
- name: repodata
persistentVolumeClaim:
claimName: reposync-openvox7-repodata
- name: dnf-conf
configMap:
name: dnf-conf
- name: openvox-repo
configMap:
name: openvox7-openvox-repo
+13
View File
@@ -0,0 +1,13 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- configmap_dnf-conf.yaml
- configmap_openvox-repo.yaml
- persistentvolumeclaims.yaml
- cronjob_reposync-almalinux9-baseos.yaml
- cronjob_reposync-almalinux9-appstream.yaml
- cronjob_reposync-epel9.yaml
- cronjob_reposync-openvox7.yaml
+7
View File
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: reposync
name: reposync
@@ -0,0 +1,64 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: reposync-almalinux9-baseos
app.kubernetes.io/name: reposync
name: reposync-almalinux9-baseos-repodata
namespace: reposync
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: cephrbd-fast-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: reposync-almalinux9-appstream
app.kubernetes.io/name: reposync
name: reposync-almalinux9-appstream-repodata
namespace: reposync
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
storageClassName: cephrbd-fast-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: reposync-epel9
app.kubernetes.io/name: reposync
name: reposync-epel9-repodata
namespace: reposync
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 30Gi
storageClassName: cephrbd-fast-delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/component: reposync-openvox7
app.kubernetes.io/name: reposync
name: reposync-openvox7-repodata
namespace: reposync
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: cephrbd-fast-delete
+6
View File
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
+7
View File
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: vm-system
name: vm-system
@@ -0,0 +1,12 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: vault-service-account-admin
app.kubernetes.io/part-of: vault-secrets-system
name: vso-system-vault-service-account-admin
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
@@ -0,0 +1,32 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/part-of: vault-secrets-operator
name: vso-system-vault-secrets-operator-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-secrets-operator-controller-manager
namespace: vso-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: vso-system-vault-admin-binding
app.kubernetes.io/part-of: vault-secrets-system
name: vso-system-vault-admin-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vso-system-vault-service-account-admin
subjects:
- kind: ServiceAccount
name: vso-system-vault-admin
namespace: vso-system
+9
View File
@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- serviceaccount_vault-admin.yaml
- clusterrole_vault-service-account-admin.yaml
- clusterrolebindings.yaml
+7
View File
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/name: vso-system
name: vso-system
@@ -0,0 +1,9 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: vault-admin
app.kubernetes.io/part-of: vault-secrets-system
name: vso-system-vault-admin
namespace: vso-system
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/artifact-keeper
@@ -0,0 +1,16 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: elastic-system
resources:
- ../../../base/elastic-system
helmCharts:
- name: eck-operator
repo: https://helm.elastic.co
version: "3.2.0"
releaseName: elastic-operator
namespace: elastic-system
valuesFile: values.yaml
@@ -0,0 +1,11 @@
replicaCount: 2
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 10m
memory: 150Mi
podDisruptionBudget:
enabled: true
minAvailable: 1
@@ -1,14 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/jfrog
helmCharts:
- name: artifactory-jcr
repo: https://charts.jfrog.io
version: "107.133.10"
releaseName: artifactory-jcr
namespace: jfrog
valuesFile: values.yaml
-63
View File
@@ -1,63 +0,0 @@
---
artifactory:
## Artifactory
## See full list of supported Artifactory options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
artifactory:
## Default tag is from the artifactory sub-chart in the requirements.yaml
image:
registry: releases-docker.jfrog.io
repository: jfrog/artifactory-jcr
resources: {}
# requests:
# memory: "1Gi"
# cpu: "500m"
# limits:
# memory: "4Gi"
# cpu: "1"
## The following Java options are passed to the java process running Artifactory.
## You should set them according to the resources set above.
## IMPORTANT: Make sure resources.limits.memory is at least 1G more than Xmx.
javaOpts: {}
# xms: "1g"
# xmx: "3g"
# other: ""
installer:
platform: jcr-helm
## Nginx
## See full list of supported Nginx options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
nginx:
enabled: true
tlsSecretName: ""
service:
type: LoadBalancer
## Ingress
## See full list of supported Ingress options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
ingress:
enabled: false
tls:
## PostgreSQL
## See list of supported postgresql options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
## Configuration values for the PostgreSQL dependency sub-chart
## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md
postgresql:
enabled: true
## This key is required for upgrades to protect old PostgreSQL chart's breaking changes.
databaseUpgradeReady: "yes"
## If NOT using the PostgreSQL in this chart (artifactory.postgresql.enabled=false),
## specify custom database details here or leave empty and Artifactory will use embedded derby.
## See full list of database options and documentation in artifactory chart: https://github.com/jfrog/charts/tree/master/stable/artifactory
# database:
jfconnect:
enabled: false
rtfs:
enabled: false
onemodel:
enabled: false
evidence:
enabled: false
apptrust:
enabled: false
unifiedpolicy:
enabled: false
platformfederation:
enabled: false
@@ -0,0 +1,22 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: observability
resources:
- ../../../base/observability
helmCharts:
- name: victoria-metrics-cluster
repo: https://victoriametrics.github.io/helm-charts/
version: "0.33.0"
releaseName: victoria-metrics-cluster
namespace: observability
valuesFile: values-vmcluster.yaml
- name: victoria-metrics-agent
repo: https://victoriametrics.github.io/helm-charts/
version: "0.30.0"
releaseName: victoria-metrics-agent
namespace: observability
valuesFile: values-vmagent.yaml
@@ -0,0 +1,102 @@
image:
repository: victoriametrics/vmagent
pullPolicy: IfNotPresent
global:
scrape_interval: 15s
podDisruptionBudget:
enabled: true
maxUnavailable: 1
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8481"
replicaCount: 3
extraArgs:
envflag.enable: true
envflag.prefix: VM_
loggerFormat: json
httpListenAddr: :8429
service:
enabled: true
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vmagent.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vmagent.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
hosts:
- name: vmagent.k8s.syd1.au.unkin.net
path:
- /
port: http
tls:
- hosts:
- vmagent.k8s.syd1.au.unkin.net
secretName: vmagent-tls
ingressClassName: nginx
remoteWrite:
- url: http://victoria-metrics-cluster-vminsert.observability.svc.cluster.local:8480/insert/0/prometheus/
scrape_configs:
- job_name: vmagent
static_configs:
- targets: ["localhost:8429"]
- job_name: "kubernetes-apiservers"
kubernetes_sd_configs:
- role: endpoints
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
relabel_configs:
- source_labels:
- __meta_kubernetes_namespace
- __meta_kubernetes_service_name
- __meta_kubernetes_endpoint_port_name
action: keep
regex: default;kubernetes;https
- job_name: "kubernetes-nodes"
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- job_name: "kubernetes-nodes-cadvisor"
scheme: https
tls_config:
ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
insecure_skip_verify: true
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
kubernetes_sd_configs:
- role: node
metrics_path: /metrics/cadvisor
relabel_configs:
- action: labelmap
regex: __meta_kubernetes_node_label_(.+)
- source_labels: [__metrics_path__]
target_label: metrics_path
metric_relabel_configs:
- action: replace
source_labels: [pod]
regex: '(.+)'
target_label: pod_name
replacement: '${1}'
- action: replace
source_labels: [container]
regex: '(.+)'
target_label: container_name
replacement: '${1}'
- action: replace
target_label: name
replacement: k8s_stub
- action: replace
source_labels: [id]
regex: '^/system\.slice/(.+)\.service$'
target_label: systemd_service_name
replacement: '${1}'
@@ -0,0 +1,185 @@
vmselect:
enabled: true
image:
repository: victoriametrics/vmselect
pullPolicy: IfNotPresent
variant: cluster
extraArgs:
envflag.enable: true
envflag.prefix: VM_
loggerFormat: json
httpListenAddr: :8481
dedup.minScrapeInterval: 15s
replicationFactor: 2
resources:
limits:
cpu: 500m
memory: 1024Mi
requests:
cpu: 50m
memory: 128Mi
horizontalPodAutoscaler:
enabled: true
maxReplicas: 10
minReplicas: 2
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
behavior:
scaleUp:
stabilizationWindowSeconds: 0
selectPolicy: Max
policies:
- type: Percent
value: 100
periodSeconds: 30
- type: Pods
value: 4
periodSeconds: 30
scaleDown:
stabilizationWindowSeconds: 300
selectPolicy: Min
policies:
- type: Percent
value: 10
periodSeconds: 60
- type: Pods
value: 2
periodSeconds: 60
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8481"
podDisruptionBudget:
enabled: true
maxUnavailable: 1
replicaCount: 2
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vmselect.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vmselect.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
hosts:
- name: vmselect.k8s.syd1.au.unkin.net
path:
- /
port: http
tls:
- hosts:
- vmselect.k8s.syd1.au.unkin.net
secretName: vmselect-tls
ingressClassName: nginx
vminsert:
enabled: true
image:
repository: victoriametrics/vminsert
variant: cluster
pullPolicy: IfNotPresent
extraArgs:
envflag.enable: true
envflag.prefix: VM_
loggerFormat: json
httpListenAddr: :8480
replicationFactor: 2
resources:
limits:
cpu: 500m
memory: 1024Mi
requests:
cpu: 50m
memory: 128Mi
horizontalPodAutoscaler:
enabled: true
maxReplicas: 10
minReplicas: 2
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
behavior:
scaleUp:
stabilizationWindowSeconds: 0
selectPolicy: Max
policies:
- type: Percent
value: 100
periodSeconds: 30
- type: Pods
value: 4
periodSeconds: 30
scaleDown:
stabilizationWindowSeconds: 300
selectPolicy: Min
policies:
- type: Percent
value: 10
periodSeconds: 60
- type: Pods
value: 2
periodSeconds: 60
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8480"
podDisruptionBudget:
enabled: true
maxUnavailable: 1
replicaCount: 2
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: vault-issuer
cert-manager.io/common-name: vminsert.k8s.syd1.au.unkin.net
cert-manager.io/private-key-size: "4096"
external-dns.alpha.kubernetes.io/hostname: vminsert.k8s.syd1.au.unkin.net
external-dns.alpha.kubernetes.io/target: 198.18.200.0
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
hosts:
- name: vminsert.k8s.syd1.au.unkin.net
path:
- /
port: http
tls:
- hosts:
- vminsert.k8s.syd1.au.unkin.net
secretName: vminsert-tls
ingressClassName: nginx
vmstorage:
enabled: true
image:
repository: victoriametrics/vmstorage
variant: cluster
pullPolicy: IfNotPresent
retentionPeriod: 180d
extraArgs:
envflag.enable: true
envflag.prefix: VM_
loggerFormat: json
httpListenAddr: :8482
dedup.minScrapeInterval: 15s
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8482"
podDisruptionBudget:
enabled: true
maxUnavailable: 1
persistentVolume:
enabled: true
name: vmstorage-volume
accessModes:
- ReadWriteOnce
storageClassName: cephrbd-fast-delete
mountPath: /storage
size: 200Gi
replicaCount: 3
podManagementPolicy: OrderedReady
@@ -0,0 +1,16 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: purelb
resources:
- ../../../base/purelb
helmCharts:
- name: purelb
repo: https://gitlab.com/api/v4/projects/20400619/packages/helm/stable
version: "v0.13.0"
releaseName: purelb
namespace: purelb
valuesFile: values.yaml
+56
View File
@@ -0,0 +1,56 @@
image:
repository: registry.gitlab.com/purelb/purelb
tag: v0.13.0
pullPolicy: Always
allocator:
securityContext:
runAsNonRoot: true
runAsUser: 65534
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
tolerations: []
lbnodeagent:
extlbint: kube-lb0
localint: default
sendgarp: false
tolerations: []
containerSecurityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
drop:
- ALL
readOnlyRootFilesystem: false
runAsGroup: 0
runAsUser: 0
defaultAnnouncer: PureLB
serviceGroup:
create: false
name: default
Prometheus:
allocator:
Metrics:
enabled: false
serviceMonitor:
enabled: false
prometheusRules:
enabled: false
lbnodeagent:
Metrics:
enabled: false
serviceMonitor:
enabled: false
prometheusRules:
enabled: false
memberlistSecretKey: 8sb7ikA5qHwQQqxc
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: reposync
resources:
- ../../../base/reposync
@@ -0,0 +1,16 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: vm-system
resources:
- ../../../base/vm-system
helmCharts:
- name: victoria-metrics-operator
repo: https://victoriametrics.github.io/helm-charts/
version: "0.57.1"
releaseName: victoria-metrics-operator
namespace: vm-system
valuesFile: values.yaml
@@ -0,0 +1,9 @@
logLevel: "info"
replicaCount: 2
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
@@ -0,0 +1,24 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: vso-system
resources:
- ../../../base/vso-system
helmCharts:
- name: vault-secrets-operator
repo: https://helm.releases.hashicorp.com
version: "1.2.0"
releaseName: vault-secrets-operator
namespace: vso-system
valuesFile: values.yaml
patches:
- path: patch_vaultauth-remove-namespace.yaml
target:
group: secrets.hashicorp.com
version: v1beta1
kind: VaultAuth
name: default
@@ -0,0 +1,2 @@
- op: remove
path: /spec/namespace
@@ -0,0 +1,28 @@
defaultVaultConnection:
enabled: true
address: "https://vault.service.consul:8200"
skipTLSVerify: false
caCertSecret: "vault-ca-cert"
defaultAuthMethod:
enabled: true
method: "kubernetes"
mount: "k8s/au/syd1"
namespace: ""
kubernetes:
role: "default"
serviceAccount: "vault-secrets-operator-controller-manager"
tokenAudiences: ["vault"]
controller:
replicas: 3
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 50m
memory: 128Mi
globalVaultAuth:
enabled: true
@@ -3,5 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- observability.yaml
- platform.yaml - platform.yaml
- storage.yaml - storage.yaml
+31
View File
@@ -0,0 +1,31 @@
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: observability-apps
namespace: argocd
spec:
generators:
- git:
repoURL: https://git.unkin.net/unkin/argocd-apps
revision: HEAD
directories:
- path: apps/overlays/*/observability
template:
metadata:
name: 'observability-{{path[3]}}'
spec:
project: observability
source:
repoURL: https://git.unkin.net/unkin/argocd-apps
targetRevision: HEAD
path: '{{path}}'
destination:
server: https://kubernetes.default.svc
namespace: '{{path[3]}}'
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- ServerSideApply=true
+8 -3
View File
@@ -12,16 +12,21 @@ spec:
directories: directories:
- path: apps/overlays/*/artifactapi - path: apps/overlays/*/artifactapi
- path: apps/overlays/*/cattle-system - path: apps/overlays/*/cattle-system
- path: apps/overlays/*/certificates
- path: apps/overlays/*/cert-manager - path: apps/overlays/*/cert-manager
- path: apps/overlays/*/certificates
- path: apps/overlays/*/cnpg-system - path: apps/overlays/*/cnpg-system
- path: apps/overlays/*/elastic-system
- path: apps/overlays/*/externaldns - path: apps/overlays/*/externaldns
- path: apps/overlays/*/inteldeviceplugins-system - path: apps/overlays/*/inteldeviceplugins-system
- path: apps/overlays/*/jfrog
- path: apps/overlays/*/node-feature-discovery - path: apps/overlays/*/node-feature-discovery
- path: apps/overlays/*/puppet
- path: apps/overlays/*/purelb
- path: apps/overlays/*/reflector-system - path: apps/overlays/*/reflector-system
- path: apps/overlays/*/reloader-system - path: apps/overlays/*/reloader-system
- path: apps/overlays/*/jfrog - path: apps/overlays/*/reposync
- path: apps/overlays/*/puppet - path: apps/overlays/*/vm-system
- path: apps/overlays/*/vso-system
- path: apps/overlays/*/woodpecker - path: apps/overlays/*/woodpecker
template: template:
metadata: metadata:
+1
View File
@@ -3,5 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- observability.yaml
- platform.yaml - platform.yaml
- storage.yaml - storage.yaml
+24
View File
@@ -0,0 +1,24 @@
---
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: observability
namespace: argocd
spec:
description: Observability stack (metrics, monitoring)
sourceRepos:
- https://git.unkin.net/unkin/argocd-apps
- https://victoriametrics.github.io/helm-charts/
destinations:
- namespace: 'observability'
server: https://kubernetes.default.svc
clusterResourceWhitelist:
- group: ''
kind: Namespace
- group: 'rbac.authorization.k8s.io'
kind: ClusterRole
- group: 'rbac.authorization.k8s.io'
kind: ClusterRoleBinding
namespaceResourceWhitelist:
- group: '*'
kind: '*'
+16 -6
View File
@@ -8,14 +8,18 @@ spec:
description: Platform infrastructure and core services description: Platform infrastructure and core services
sourceRepos: sourceRepos:
- https://git.unkin.net/unkin/argocd-apps - https://git.unkin.net/unkin/argocd-apps
- https://charts.jetstack.io
- https://cloudnative-pg.github.io/charts
- https://helm.elastic.co
- https://helm.releases.hashicorp.com
- https://purelb.github.io/purelb/charts
- https://intel.github.io/helm-charts/
- https://kubernetes-sigs.github.io/external-dns/
- https://releases.rancher.com/server-charts/stable
- https://victoriametrics.github.io/helm-charts/
- oci://gcr.io/k8s-staging-nfd/charts
- oci://ghcr.io/emberstack/helm-charts - oci://ghcr.io/emberstack/helm-charts
- oci://ghcr.io/woodpecker-ci/helm/woodpecker - oci://ghcr.io/woodpecker-ci/helm/woodpecker
- https://releases.rancher.com/server-charts/stable
- https://charts.jetstack.io
- https://kubernetes-sigs.github.io/external-dns/
- https://cloudnative-pg.github.io/charts
- oci://gcr.io/k8s-staging-nfd/charts
- https://intel.github.io/helm-charts/
destinations: destinations:
- namespace: '*-system' - namespace: '*-system'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
@@ -31,8 +35,12 @@ spec:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'node-feature-discovery' - namespace: 'node-feature-discovery'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'purelb'
server: https://kubernetes.default.svc
- namespace: 'puppet' - namespace: 'puppet'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
- namespace: 'reposync'
server: https://kubernetes.default.svc
- namespace: 'woodpecker' - namespace: 'woodpecker'
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
clusterResourceWhitelist: clusterResourceWhitelist:
@@ -50,6 +58,8 @@ spec:
kind: ValidatingWebhookConfiguration kind: ValidatingWebhookConfiguration
- group: 'scheduling.k8s.io' - group: 'scheduling.k8s.io'
kind: PriorityClass kind: PriorityClass
- group: 'purelb.io'
kind: '*'
- group: 'nfd.k8s-sigs.io' - group: 'nfd.k8s-sigs.io'
kind: NodeFeatureRule kind: NodeFeatureRule
- group: 'deviceplugin.intel.com' - group: 'deviceplugin.intel.com'
+1 -1
View File
@@ -18,6 +18,6 @@ while IFS= read -r -d "" k; do
-summary \ -summary \
-output pretty \ -output pretty \
-verbose \ -verbose \
-skip CustomResourceDefinition,GpuDevicePlugin \ -skip CustomResourceDefinition,GpuDevicePlugin,LBNodeAgent,ServiceGroup \
"${schema_args[@]}" "${schema_args[@]}"
done < <(find apps/overlays -name kustomization.yaml -print0) done < <(find apps/overlays -name kustomization.yaml -print0)